Kernel: LWN Coverage (No Longer Paywalled) and Initial HDMI 2.0 Support With Nouveau Slated For The Next Linux Kernel

Back in the halcyon days of the previous century, those with a technical inclination often became overly acquainted with modems—not just the strange sounds they made when connecting, but the AT commands that were used to control them. While the AT command set is still in use (notably for GSM networks), it is generally hidden these days. But some security researchers have found that Android phones often make AT commands available via their USB ports, which is something that can potentially be exploited by rogue USB devices of various sorts.

A paper [PDF] that was written by a long list of researchers (Dave (Jing) Tian, Grant Hernandez, Joseph I. Choi, Vanessa Frost, Christie Ruales, Patrick Traynor, Hayawardh Vijayakumar, Lee Harrison, Amir Rahmati, Michael Grace, and Kevin R. B. Butler) and presented at the 27th USENIX Security Symposium described the findings. A rather large number of Android firmware builds were scanned for the presence of AT commands and many were found to have them. That's not entirely surprising since the baseband processors used to communicate with the mobile network often use AT commands for configuration. But it turns out that Android vendors have also added their own custom AT commands that can have a variety of potentially harmful effects—making those available over USB is even more problematic.

They started by searching through 2018 separate Android binary images (it is not clear how that number came about, perhaps it is simply coincidental) from 11 different vendors. They extracted and decompressed the various pieces inside the images and then searched those files for AT command strings. That process led to a database of 3500 AT commands, which can be seen at the web site for ATtention Spanned—the name given to the vulnerabilities.

The Linux Security Module (LSM) subsystem allows security modules to hook into many low-level operations within the kernel; modules can use those hooks to examine each requested operation and decide whether it should be allowed to proceed or not. In theory, just about every low-level operation is covered by an LSM hook; in practice, there are some gaps. A discussion regarding one of those gaps — low-level ioctl() operations on XFS filesystems — has revealed a thorny problem and a significant difference of opinion on what the correct solution is.

In late September Tong Zhang pointed out that xfs_file_ioctl(), the 300-line function that dispatches the various ioctl() operations that can be performed on an XFS filesystem, was making a call to vfs_readlink() without first consulting the security_inode_readlink() LSM hook. As a result, a user with the privilege to invoke that operation (CAP_SYS_ADMIN) could read the value of a symbolic link within the filesystem, even if the security policy in place would otherwise forbid it. Zhang suggested that a call to the LSM hook should be added to address this problem.

Days after Nouveau DRM maintainer Ben Skeggs began staging changes for this open-source NVIDIA driver ahead of the next kernel cycle, this evening Ben Skeggs submitted the DRM-Next pull request to queue this work for the Linux 4.20/5.0 kernel cycle.

As covered in that previous article, there isn't a whole lot on the Nouveau kernel driver front at this time. Skeggs summed up these open-source NVIDIA driver changes as: "Just initial HDMI 2.0 support, and a bunch of other cleanups."

One of the most common tasks carried out by device drivers is setting up DMA operations for data transfers between main memory and the device. Often, data read into memory from one device will be immediately written, unchanged, to another device. Common examples include carrying the image between the camera and screen on a mobile phone, or downloading files to be saved on a disk. Those transfers have an impact on the CPU even if it does not use the data directly, due to higher memory use and effects like cache trashing. There are cases where it is possible to avoid usage of the system memory completely, though. A patch set (posted by Logan Gunthorpe with contributions by Christoph Hellwig and Steve Wise) has been in the works for some time that addresses this case for PCI devices using peer-to-peer (P2P) transfers, with a focus on offering an offload option for the NVMe fabrics target subsystem.

Overland, a stylish strategy game where every single step counts is due for a full release next year and it's looking good. It's been quite some time since we talked about it, as we previously highlighted way back in 2016. Since then, it's obviously had a lot of spit and polish.

Jupiter Hell is a roguelike I'm following with great excitement, it's serving a the spiritual successor to DRL (previously DoomRL, now called DRL since ZeniMax flexed their legal muscles) and it's looking good.
After a rather successful Kickstarter, where they managed to get over £70K in funding it's coming along rather nicely.

While Warhammer 40,000: Gladius is a pretty good strategy game, it did feel somewhat limited. Things are about to get hectic, prepare your defences for the Tyranids.
Tyranids will be released in the form of a DLC that will be available in January next year as a playable race. The developers say they will be "radically different" to play as due to their gameplay mechanics, although they haven't yet gone into detail on what exactly is different.

A developer from Bulwark Studios has detailed their plans to get Warhammer 40,000: Mechanicus onto Linux and it sounds good.
After releasing for Windows in November, they've pushed out a few patches to improve various aspects of the game. It seems like they've done well with it, since it's sat at a "Very Positive" user rating with over one thousand users giving their thoughts.
For the Linux release, they're going to put up an opt-in beta version "before the Christmas holiday" with an aim to release in full once the holiday period is over. See their post here on Steam for more info.

Inspired by a love for games like Harvest Moon, Verdant Skies from Howling Moon Software is what they're calling a 'life simulation game'. Along with a recent update to the game on Friday, December 14th they also added a Linux version of the game.

Frosty Fest is now live in Rocket League, giving you a chance to earn Snowflakes as you play online to redeem special winter-themed items.
As always, it's completely free. The in-game currency cannot be purchased and can only be earned simply by playing the game in online matches. It's just a fun little event for players to earn some fun customisation items.

The Long Dark, the survival game pitting you against the harsh environment and wildlife has a big free update out.
As they've been talking about for a while, this update is the overhauled versions of Episodes One and Two. With a third episode due at some unspecified time.

Solve a puzzle at the Linux command line with nudoku

Welcome back to another installment in our 24-day-long Linux command-line toys advent calendar. If this is your first visit to the series, you might be asking yourself what a command-line toy even is. We’re figuring that out as we go, but generally, it could be a game, or any simple diversion that helps you have fun at the terminal.
Some of you will have seen various selections from our calendar before, but we hope there’s at least one new thing for everyone.

Programming: JS, Python and More

You can do as much as you can to modularize your code base, but how much confidence do you have in each of the modules? If one of the E2E tests fails, how would you pinpoint the source of the error? How do you know which module is faulty?You need a lower level of testing that works at the module level to ensure they work as distinct, standalone units—you need unit tests. Likewise, you should test that multiple units can work well together as a larger logical unit; to do this, you need to implement some integration tests.

Chukwudi, or Chux as he is often referred to in more familiar circles, is the president of Python Nigeria (@PythonNigeria) and has served as part of the PSF’s Grants Working Group for several years. Some of the work he has done with the grants working group involves dealing with very delicate situations, as grant requests need to be authenticated and require due diligence to properly understand the local context for preparing and awarding a grant. According to Nicholas H. Tollervey, a fellow Grants Working Group member, Chux regularly contacts, researches and (where possible) visits in-person many of the requesters so the Grants Work Group has the context needed to be able to make an informed decision. All of this detail oriented work requires a great deal of interpersonal skill and effort, which Chux exerts freely as a credit to our larger Python community.

This week we welcome Irina Truong (@irinatruong) as our PyDev of the Week! Irina has been a speaker at several Python conferences and is a maintainer for pgcli, a Python package that is a command-line interface to the Postgres database. You can see what else she has been up to over on Github. Let’s spend some time getting to know Irina!

Welcome back to the multitas project which we have already created two features for this application in the previous articles 1) Remove duplicate files 2) Move file from one folder to another. In this chapter, we are just going to tidy up the buttons on the user interface before we continue to build the next task in the next chapter. What we are going to do here is to create a button container to keep all the buttons that we will use in our program. Below is the full source code which will result in this below outcome.

To get started, take a look at the recent webinar ”Develop Your First Qt for Python Application’‘ on how to develop an application from scratch, based on Qt Widgets and different Python modules. You’ll also see some examples on how to continue developing with other Qt for Python components, such as QML and Shiboken.

Logitech Options is an app that controls all of Logitech’s mice and keyboards. It offers several different configurations like Changing function key shortcuts, Customizing mouse buttons, Adjusting point and scroll behavior and etc. This app contained a huge security flaw that was discovered by Tavis Ormandy who is a Google security researcher. It was found that Logitech Options was opening a WebSocket server on each individual computer Logitech Options was run on. This WebSocket server would open on port 10134 on which any website could connect and send several various commands which would be JSON-encoded.

I am extremely pleased to announce the public release of pwnedkeys.com – a database of compromised asymmetric encryption keys. I hope this will become the go-to resource for anyone interested in avoiding the re-use of known-insecure keys. If you have a need, or a desire, to check whether a key you’re using, or being asked to accept, is potentially in the hands of an adversary, I would encourage you to take a look.

Latest News

Review: Rolling in the Void

Void is an independently-developed, rolling-release Linux distribution with a number of interesting characteristics, such as its own package management system (called XBPS), a custom init system (runit), integration of LibreSSL instead of OpenSSL in the base operating system, and support for several popular ARM-based devices as well as x86 images. The operating system is available in several editions, including Cinnamon, Enlightenment, LXDE, LXQt, MATE and Xfce. New Void users will also be able to choose whether to run the distribution with the GNU C Library or musl libc library. I opted to download the Xfce edition running on the GNU C Library for 64-bit machines; the ISO was 693MB in size.
Booting from the Void media brought up the Xfce 4.12 desktop environment. The desktop is presented with a panel at the top of the screen which holds the application menu and system tray. At the bottom of the display is a dock where we can quick-launch applications. The desktop has a few icons for launching the Thunar file manager. If Void detects any disk partitions these will also be listed on the desktop for easy access. The theme is mostly grey and relatively plain.

Slax is a Nifty Linux Distribution That Works from USB

Slax is a portable Linux distribution that runs from USB, it aims to create a modular, modern and lightweight Linux distribution which can be carried anywhere in a USB stick. It’s also Debian-based, which allows you as a user to access tons of packages provided by Debian using the apt command.
Slax 9.6 was released last November. So we downloaded the latest release and tried it, our experience with it was great so far, see our review below for a detailed tour in Slax.

Sparky 5.6

There are new live/install iso images of SparkyLinux 5.6 “Nibiru” available to download. This it the 4th and the last this year iso image update of the rolling line, which is based on Debian testing “Buster”.